WHAT IS CLAIMED IS: 

1. A method for preventing bandwidth congestion on a network, said method 
comprising: 

providing at least one origination client connected to the Internet through respective 
connection points; 

providing at least one destination server connected to the Internet; 

directing at least one request for connection from at least one of said origination 
clients to a target destination server over the Internet; and 

automatically, upon detecting an overload condition of r equest s for connection, 
blocking the ori gination cl ient, or client s, responsible for said overload condition from 
accessing the Intemetjhrough its, or their, resp ective connection poin t(s). 

2. A method as claimed in claim 1, wherein said connection point through which 
said origination client(s) is blocked from accessing the Internet, is a connection point which is 
physically closest to said origination client. 

3. A method as claimed in claim 1, further comprising: 

communicating an IP address of said origination client(s) responsible for said 
overload condition to said connection point(s). 

4. A method as claimed in claim 1, further comprising: 

determining whether said blocked origination client should be permitted to gain access 
to the Internet; and 

permitting said blocked origination client access the Internet if it is determined that 
said blocked origination client should be permitted access to the Internet. 
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5. 



A method for preventing bandwidth congestion on a network, said method 



comprising: 



providing a destination site router connected to a destination site locally and also to an 
internet connection; 

providing a plurality of origin site routers one or many of which may be connected to 
an attacking site, wherein each of said plurality of sites has a respective address associated 
with it; 

providing connectivity between said origin and destination routers to the Internet or 
other wide area networks (WAN); 

detecting a bandwidth congestion at said destination site router, wherein said 
bandwidth congestion originates at said attacking site; 

informing said origin site router and other intermediate routers within the Internet, or 
other WAN, of said bandwidth congestion and of an attacking address corresponding to said 
attacking site from which said bandwidth congestion originated; 

preventing said attacking address corresponding to said attacking site from being used 
to gain access to the internet or other WAN. 

6. A method in accordance with claim 5, wherein said informing is performed 
automatically by said destination router. 



7. A method in accordance with claim 5, wherein said informing is performed by 
human intervention. 

8. A method in accordance with claim 5 further comprising: 

informing a plurality of remote routers connected to the Internet of said attacking 



address. 
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9. A method in accordance with claim 5, wherein said preventing is performed 
for a predetermined amount of time during which it is determined whether said attacking site 
is attempting to cause said bandwidth congestion and said attacking site is permitted to gain 
access to the Internet if it is determined that said attacking site is not attempting to cause said 
bandwidth congestion. 

10. A network system that prevents bandwidth congestion on a network, said 
system comprising: 

a destination server connected to the Internet through a destination router; 

an attack detector operable to detect a denial of service or other Internet-based attack; 

an origination client connected to the Internet through an origination router, said 
origination client being operable to initiate a denial of service or other Internet-based attack, 

wherein said attack detector is further operable to communicate an identity of said 
origination client to said origination router to prevent said origination client from being 
operable to continue said detected denial of service attack. 

11. A network system according to claim 10, wherein said communication of said 
identity of said origination client occurs automatically upon detection of said denial of service 
or other Internet-based attack. 

12. A network system that prevents bandwidth congestion on a network, said 
system comprising: 

an origin client router connected to a plurality of clients through an Internet 
connection, said plurality of clients including an attacking client, and wherein each of said 
plurality of clients has a respective address associated with it; 

a destination site router connected to a destination server, said destination site router 
or firewall or client further comprising a bandwidth congestion detector operable to detect a 
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bandwidth congestion condition and a communication device operable to communicate said 
bandwidth congestion condition and said addresses to said plurality of clients; 

10 a router-router connection between said origin client router and said destination site 

router, wherein said router-router connection provides a discrete amount of access bandwidth 
by which said client router and said destination site router can pass data traffic back and forth 
to each other; 

wherein said bandwidth congestion detector detects a bandwidth congestion condition 
15 originating at said attacking client and directed to said destination server and automatically 
informs said origin client router of said attacking client's respective address, and wherein 
further, said origin client router prevents said address of said attacking client from causing 
further bandwidth congestion. 

13. A system in accordance with claim 12, wherein said destination site router 
further informs a plurality of other intermediate routers within the Internet or shared WAN 
routers in addition to said origin client router. 

14. A system in accordance with claim 12, wherein said origin client router 
prevents said address of said attacking client from gaining access to the router-router 
connection until such a time when it is determined that said attacking client is no longer 
attempting to cause bandwidth congestion. 

5 

15. A method for preventing bandwidth congestion on a network, said method 
comprising: 

providing a destination site router connected to a destination site locally and also to an 
Internet connection; 

5 providing a plurality of origin site routers one or many of which may be connected to 

an attacking site, wherein each of said plurality of sites has a respective address associated 
with it; 
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providing connectivity between said origin and destination routers to the Internet or 
other wide area networks (WAN); 

detecting a bandwidth congestion at a firewall connected to said destination site 
router, wherein said bandwidth congestion originates at said attacking site; 

informing said origin site router and other intermediate routers within the Internet, or 
other WAN, of said bandwidth congestion and of an attacking address corresponding to said 
attacking site from which said bandwidth congestion originated; 

preventing said attacking address corresponding to said attacking site from being used 
to gain access to the Internet or other WAN. 

16. A method for preventing bandwidth congestion on a network, said method 
comprising: 

providing a destination site router connected to a destination site locally and also to an 
Internet connection; 

providing a plurality of origin site routers one or many of which may be connected to 
an attacking site, wherein each of said plurality of sites has a respective address associated 
with it; 

providing connectivity between said origin and destination routers to the Internet or 
other wide area networks (WAN); 

detecting a bandwidth congestion at said destination site, wherein said bandwidth 
congestion originates at said attacking site; 

informing said origin site router and other intermediate routers within the Internet, or 
other WAN, of said bandwidth congestion and of an attacking address corresponding to said 
attacking site from which said bandwidth congestion originated; 

preventing said attacking address corresponding to said attacking site from being used 
to gain access to the Internet or other WAN. 
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17. A network system that prevents bandwidth congestion on a network, said 
system comprising: 

an origin client router connected to a plurality of clients through an Internet 
connection, said plurality of clients including an attacking client, and wherein each of said 
plurality of clients has a respective address associated with it; 

a destination site router connected to a destination server; 

a firewall connected to said destination server, said firewall comprising a bandwidth 
congestion detector operable to detect a bandwidth congestion condition and a 
communication device operable to communicate said bandwidth congestion condition and 
said addresses to said plurality of clients; 

a router-router connection between said origin client router and said destination site 
router, wherein said router-router connection provides a discrete amount of access bandwidth 
by which said client router and said destination site router can pass data traffic back and forth 
to each other; 

wherein said bandwidth congestion detector detects a bandwidth congestion condition 
originating at said attacking client and directed to said destination server and automatically 
informs said origin client router of said attacking client's respective address, and wherein 
further, said origin client router prevents said address of said attacking client from causing 
further bandwidth congestion. 

18. A network system that prevents bandwidth congestion on a network, said 
system comprising: 

an origin client router connected to a plurality of clients through an Internet 
connection, said plurality of clients including an attacking client, and wherein each of said 
plurality of clients has a respective address associated with it; 

a destination site router connected to a destination server, said destination server 
comprising a bandwidth congestion detector operable to detect a bandwidth congestion 
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condition and a communication device operable to communicate said bandwidth congestion 
condition and said addresses to said plurality of clients; 

a router-router connection between said origin client router and said destination site 
router, wherein said router-router connection provides a discrete amount of access bandwidth 
by which said client router and said destination site router can pass data traffic back and forth 
to each other; 

wherein said bandwidth congestion detector detects a bandwidth congestion condition 
originating at said attacking client and directed to said destination server and automatically 
informs said origin client router of said attacking client's respective address, and wherein 
further, said origin client router prevents said address of said attacking client from causing 
further bandwidth congestion. 

19. A computer medium storing a program operable to perform the following 
functions: 

detect an internet-based attack directed to a target server from an attacking client; 

automatically communicate an identity of said attacking client to at least one router 
through which said attacking client is connected to the Internet. 

20. A computer medium as claimed in claim 19, further operable to perform the 
following: 

prevent said attacking client from gaining access to the Internet; 

determine whether said attacking client is attempting to initiate an Internet-based 

attack; 

permit said attacking client to gain access to the Internet if it is determined that said 
attacking client is not attempting to initiate an Internet-based attack. 
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21. A method as claimed in claim 1, wherein one or more of said destination 
servers are protected by a respective firewall and wherein said detection of said overload 
condition is carried out by one of said respective firewalls. 

22. A method as claimed in claim 1, wherein said detection of said overload 
condition is carried out by said target destination server. 

23. A method as claimed in claim 1, wherein said detection of said overload 
condition is carried out by a respective target router operably connected to said target 
destination server. 

24. A method in accordance with claim 5, wherein said preventing is performed 
until a human administrator intervenes after determining whether said attacking site should be 
permitted to gain access to the Internet. 

25. A network system in accordance with claim 10 wherein said attack detector is 
located within a firewall device located between said destination server and said origination 
client. 

26. A network system in accordance with claim 10 wherein said attack detector is 
located within said destination server. 

27. A network system in accordance with claim 10 wherein said attack detector is 
located within said destination router. 
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